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Abstract 

This paper develops a novel framework for sharing secret keys using the well-known Automatic Repeat reQuest 
(ARQ) protocol. The proposed key sharing protocol does not assume any prior knowledge about the channel state 
information (CSI), but, harnesses the available opportunistic secrecy gains using only the one bit feedback, in the 
form of ACK/NACK. The distribution of key bits among multiple ARQ epochs, in our approach, allows for mitigating 
the secrecy outage phenomenon observed in earlier works. We characterize the information theoretic limits of the 
proposed scheme, under different assumptions on the channel spatial and temporal correlation function, and develop 
low complexity explicit implementations. Our analysis reveals a novel role of "dumb antennas" in overcoming the 
negative impact of spatial correlation, between the legitimate and eavesdropper channels, on the achievable secrecy 
rates. We further develop an adaptive rate allocation policy which achieves higher secrecy rates by exploiting the 
channel temporal correlation. Finally, our theoretical claims are validated by numerical results that establish the 
achievability of non-zero secrecy rates even when the eavesdropper channel is less noisy, on the average, than the 
legitimate channel. 

Index Terms 

Private Keys, ARQ, Opportunistic Communication, Physical Layer Security, Temporal and Spatial Correlation. 

I. Introduction 

The recent flurry of interest on wireless physical layer secrecy is inspired by Wyner's pioneering work on the 
wiretap channel. Under the assumption that the eavesdropper channel is a degraded version of the legitimate channel, 
Wyner showed in [1], [2] that perfectly secure communication is possible by hiding the message in the additional 
noise level seen by the eavesdropper. The effect of fading on the secrecy capacity was studied later. In particular, by 
appropriately distributing the message across different fading realizations, it was shown that the multi-user diversity 
gain can be harnessed to enhance the secrecy capacity, e.g. [3], [8]. More recently, the authors of [4] proposed 
using the well-known Hybrid ARQ protocol to facilitate the exchange of secure messages over fading channels. 
This paper extends this line of work by developing a novel ARQ-based approach for secret key sharing between two 
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legitimate users (Alice and Bob), communicating over a wireless channel, in the presence of a passive eavesdropper 
(Eve). The shared key can then be used to secure any future message transmission. 

One innovative aspect of our framework is the distribution of key bits over an asymptotically large number of 
ARQ epochs. This approach allows for overcoming the secrecy outage phenomenon observed in [4] at the expense 
of increased delay. In this setup, we characterize the fundamental information theoretic limits on the maximum 
achievable key rate; subject to a perfect secrecy constraint. Our information theoretic analysis inspires the design of 
explicit ARQ protocols that attain an excellent throughput-delay-secrecy tradeoff with a realizable coding/decoding 
complexity. It also reveals the negative impact of spatial correlation on the achievable key rate. This problem 
is mitigated via the efficient use of dumb antennas which is shown to effectively decorrelate the legitimate and 
eavesdropper channels in the asymptotic limit of a large number of transmit antennas. Moreover, we propose a 
greedy rate adaptation algorithm capable of transforming the temporal correlation in the legitimate channel into 
additional gains in the secrecy rate. In a nutshell, our results demonstrate the achievability of non-zero perfectly 
secure key rate over fading channels by opportunistically exploiting the ARQ feedback (even when the eavesdropper 
channel is less noisy, on the average, than the main channel). 

The rest of this paper is organized as follows. Our system model is detailed in Section II. Section III develops 
the main results for the spatially independent block fading model. In Section IV, we extend our analysis to spatially 
and temporally correlated channels, whereas numerical results that validate our theoretical claims are presented in 
Section V. Finally, Section VI offers some concluding remarks and our proofs are collected in the Appendices to 
enhance the flow of the paper 

II. System Model 

Our model, shown in Figure 1, assumes one transmitter (Alice), one legitimate receiver (Bob) and one passive 
eavesdropper (Eve). We adopt a block fading model in which the channel is assumed to be fixed over one coherence 
interval and changes from one interval to the next. In order to obtain rigorous information theoretic results, we 
consider the scenario of asymptotically large coherence intervals and allow for sharing the secret key across an 
asymptotically large number of those intervals. The finite delay case will be considered as well. In any particular 
interval, the signals received by Bob and Eve are respectively given by, 

y{i,i) = 9b{i)x{i,j) +Wbii,j), (1) 

= 9e{i)x{i,j)+We{i,j), (2) 

where x{i,j) is the j*'' transmitted symbol in the i*'' block, y{i,j) is the j*'' received symbol by Bob in the i*'' 
block, z{i, j) is the j"' received symbol by Eve in the i^^ block, gb{i) and ge{i) are the complex block channel 
gains from Alice to Bob and Eve, respectively. The channel gains can also be written as 

gb{i) = y/hb{i)cicp{j6b{i)) (3) 
ge{i) = V'MO exp(j6'e(i)), (4) 
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where 6ii{i) and 9e{i), the phase shifts at Bob and Eve respectively, are assumed to be independent in all considered 
scenarios. Moreover, Wb{i,j) and We{i,j) are zero-mean, unit variance white complex Gaussian noise coefficients 
at Bob and Eve, respectively. We do not assume any prior knowledge about the channel state information at Alice. 
Bob, however, is assumed to know gb{i) and Eve is assumed to know both gb{i) and ge{i) a-priori. We impose 
the following short-term average power constraint 



Our model only allows for one bit of ARQ feedback from Bob to Alice. Each ARQ epoch is assumed to be 
contained in one coherence interval (i.e., fixed channel gains) and that different epochs correspond to different 
coherence intervals. The transmitted packets are assumed to carry a perfect error detection mechanism that Bob 
(and Eve) can use to determine whether the packet has been received correctly or not. Based on the error check. 
Bob sends back to Alice an ACK/NACK bit, through a public and error-free feedback channel. Eve is assumed to 
be passive (i.e., can not transmit); an assumption which can be justified in several practical settings. To minimize 
Bob's receiver complexity, we adopt the memoryless decoding assumption implying that frames received in error 
are discarded and not used to aid in future decoding attempts. 



Our main results are first derived for the scenario where hb and hf. vary independently from one block to another 
according to a joint distribution / {hb, he). The impact of temporal correlation on the performance of our secret 
key sharing protocols will be investigated in the next section. 

A. Information Theoretic Foundation 

In our setup, Alice wishes to share a secret key M^e>V = {l,2,-- - , Af} with Bob. To transmit this key, Alice 
and Bob use an (Af, to) code consisting of : 1) a stochastic encoder /m(-) at Alice that maps the key u; to a 
codeword a;'" £ A"'", 2) a decoding function (f): 3^™ W which is used by Bob to recover the key. The codeword 
is partitioned into a blocks, each one corresponds to one ARQ-epoch and contains rti symbols where to = ani. 
For now, we focus on the asymptotic scenario where a ^ oo and rii oo. 

Alice starts with a random selection of the first block of ni symbols. Upon reception. Bob attempts to decode 
this block. If successful, it sends an ACK bit to Alice who moves ahead and makes a random choice of the second 
Til and sends it to Bob. Here, Alice must make sure that the concatenation of the two blocks belong to a valid 
codeword. As shown in the sequel, this constraint is easily satisfied. If an error was detected, then Bob sends a 
NACK bit to Alice. To simplify the analysis, we assume that the error detection mechanism is perfect which is 
justified in the asymptotic scenario ni — *■ oo. In this case, Alice replaces the first block of ni symbols with another 
randomly chosen block and transmits it. The process then repeats until Alice and Bob agree on a sequence of a 
blocks, each of length ni symbols, corresponding to the key. 

The code construction must allow for reliable decoding at Bob while hiding the key from Eve. It is clear that the 
proposed protocol exploits the error detection mechanism to make sure that both Alice and Bob agree on the key 




(5) 



III. Secrecy via ARQ 
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(i.e., ensures reliable decoding). What remains is the secrecy requirement which is measured by the equivocation 
rate defined as the entropy rate of the transmitted key conditioned on the intercepted ACKs or NACKs and the 
channel outputs at Eve, i.e.. 

Re = -H{W\Z^,K\GlGl) , (6) 
n 

where n is the number of symbols transmitted to exchange the key (including the symbols in the discarded blocks 
due to decoding errors), b — a^, = {-^(1), ■ • ■ , K{b)} denotes sequence of ACK/NACK bits, G\ and G\ are 
the sequences of channel coefficients seen by Bob and Eve in the 6 blocks, and Z" = {^(1), • • • , Z{n)} denotes 
Eve's channel outputs in the n symbol intervals. We limit our attention to the perfect secrecy scenario, which 
requires the equivocation rate Re to be arbitrarily close to the key rate. The secrecy rate Rs is said to be achievable 
if for any e > 0, there exists a sequence of codes (2"-'^= , m) such that for any m > m(e), we have 

Re = -H{W\Z'\K'',GlGl) > Rs-e (7) 
n 

and the key rate for a given input distribution is defined as the maximum achievable perfect secrecy rate with this 
distribution. The following result characterizes this rate, assuming a Gaussian input distribution 
Theorem 1: The key rate for the memoryless ARQ protocol with Gaussian inputs is given by: 

= max E|[i?o-log,(l + /ieP)]+]I(i?o < log,(l + /ifcP))| (8) 

Ro,P<P ^ J 

where [x]'^ ~ max(0,a;) and I(.t) = 1 if x is true and otherwise. For the special case of spatially independent 
fading, i.e. / {hi,, he) = f (hb) f (he)) the above expression simplifies to 

Ci^) = max {Pr(i?o < log2(l + hi,P))E[Ro - log2(l + heP)]+} (9) 

Ro-P<P 

A few remarks are now in order 

1) It is clear from (8) that a positive secret key rate is achievable under very mild conditions on the channels 
experienced by Bob and Eve. More precisely, unlike the approach proposed in [4], Theorem 1 establishes 
the achievabiUty of a positive perfect secrecy rate by appropriately exploiting the ARQ feedback even when 
Eve's average SNR is higher than that of Bob. 

2) Theorem 1 characterizes the fundamental limit on secret key sharing and not message transmission. The 
difference between the two scenarios stems from the fact that the message is known to Alice before starting 
the transmission of the first block, whereas Alice and Bob can defer the agreement on the key till the last 
successfully decoded block. This observation was exploited by our approach in making Eve's observations 
of the frames discarded by Bob, due to failure in decoding, useless. 

3) It is intuitively pleasing that the secrecy key rate in (9) is the product of the probability of success at Bob 
and the expected value of the additional mutual information gleaned by Bob, as compared to Eve, in those 
successfully decoded frames. 

4) We stress the fact that our approach does not require any prior knowledge about the channel state information. 
The only assumption is that the public feedback channel is error-free, authenticated, and only accessible by 
Bob. 
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5) The achievability of (8) hinges on a random binning argument which only establishes the existence of a coding 
scheme that achieves the desired rate. Our result, however, stops short of explicitly finding such optimal coding 
scheme and characterizing its encoding/decoding complexity. This observation motivates the development of 
the expUcit secrecy coding schemes in Section III-B. 

B. Explicit Secrecy Coding Schemes 

This section develops explicit secrecy coding schemes that allow for sharing keys using the underlying memoryless 
ARQ protocol with realizable encoding/decoding complexity and delay. We proceed in three steps. The first step 
replaces the random binning construction, used in the achievability proof of Theorem 1 , with an explicit coset coding 
scheme for the erasure-wiretap channel. This erasure-wiretap channel is created by the ACK/NACK feedback and 
accounts for the computational complexity available to Eve. In the second step, we limit the decoding delay by 
distributing the key bits over only a finite number of ARQ frames. Finally, we replace the capacity achieving 
Gaussian channel code with practical coding schemes in the third step. Overall, our three-step approach allows for 
a nice performance-vs-complexity tradeoff. 

The perfect secrecy requirement used in the information theoretic analysis does not impose any limits on Eve's 
decoding complexity. The idea now is to exploit the finite complexity available at Eve in simphfying the secrecy 
coding scheme. To illustrate the idea, let's first assume that Eve can only afford maximum likelihood (ML) decoding. 
Hence, successful decoding at Eve is only possible when 

Ro<log^il + heP), (10) 

for a given transmit power level P. Now, using the idealized error detection mechanism. Eve will be able to 
identify and erase the frames decoded in error resulting in an erasure wiretap channel model. In practice. Eve 
may be able to go beyond the performance of the ML decoder For example. Eve can generate a list of candidate 
codewords and then use the error detection mechanism, or other means, to identify the correct one. In our setup, we 
quantify the computational complexity of Eve by the amount of side information Rc bits per channel use offered 
to it by a Genie. With this side information, the erasure probability at Eve is given by 

e ^ Pi [Ro - Rc > log^il + KP)) , (11) 

since now the channel has to supply only enough mutual information to close the gap between the transmission 
rate Rq and the side information Rc- The ML performance can be obtained as a special case of (11) by setting 
Rc = 0. 

It is now clear that using this idea we have transformed our ARQ channel into an erasure-wiretap channel, as 
in Figure 2. In this equivalent model, we have a noiseless link between Alice and Bob, ensured by the idealized 
error detection algorithm, and an erasure channel between Alice and Eve. The following result characterizes the 
achievable performance over this channel 
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Lemma 2: The secrecy capacity for the equivalent erasure-wiretap channel is 



= max_ {i?oE [I ((i?o < log2(l + h^P)) . (i?o - Rc> \og^{l + heP)))]) 



Ra,P<P 



= max_{i?oPr(i?o < logall + hbP),Ro - Rc > log2(l + KP))} 



Ro,P<P 



(12) 



In the case of spatially independent channels, the above expression reduces to 



Ro-P<P 



max_{i?o Pr(i?o < log2(l + hbPj) Pr(i?o - i?c > log2(l + heP})} 



(13) 



The proof follows from the classical result on the erasure-wiretap channel [2]. It is intuitively appealing that 
the expression in (13) is simply the product of the transmission rate per channel use, the probability of successful 
decoding at Bob, and the probability of erasure at Eve. The main advantage of this equivalent model is that it lends 
itself to the explicit coset LDPC coding scheme constructed in [5], [6], [7]. In summary, our first low complexity 
construction is a concatenated coding scheme where the outer code is a coset LDPC for secrecy and the inner one 
is a capacity achieving Gaussian code. The underlying memoryless ARQ is used to create the erasure-wiretap 
channel matched to this concatenated coding scheme. 

The second step is to limit the decoding delay resulting from the distribution of key bits over an asymptotically 
large number of ARQ blocks in the previous approach. To avoid this problem, we limit the number of ARQ frames 
used by the key to a finite number k. The implication for this choice is a non-vanishing value for secrecy outage 
probability. For example, if we encode the message as the syndrome of the rate (fc — parity check code then 
Eve will be completely blind about the key if at least one of the k ARQ frames is erased [5], [6], [7] (Here the 
distilled key is the modulo-2 sum of the key parts received correctly). The secrecy outage probability, assuming 
spatially independent channels, is therefore 



where he{l),---,he{k) are i.i.d. random variables drawn according to the marginal distribution of Eve's channel. 
Assuming a Rayleigh fading distribution, we get 



Under the same assumption, it is straightforward to see that the average number of Bernoulli trials required to 
transfer k ARQ frames successfully to Bob is given by 




(14) 




(15) 




(16) 



resulting in a key rate 




(17) 
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Therefore, for a given i?c and P, one can obtain a tradeoff between Pout and Rk by varying Rq. Our third, 
and final, step is to relax the assumption of a capacity achieving inner code. Section V reports numerical results 
with practical coding schemes, including uncoded transmission, with a finite frame length ni. Overall, these results 
demonstrate the ability of the proposed protocols to achieve near-optimal key rates, under very mild assumptions, 
with realizable encoding/decoding complexity and bounded delay. 



A. Dumb Antennas for Secrecy 

One of the important insights revealed by Theorem 1 is the negative relation between the achievable key rate 
and the spatial correlation between the main and eavesdropper channels. In fact, one can easily verify that the key 
rate collapses to zero in the fully correlated case (i.e., h[, = with probability one) independent of the marginal 
distribution of hi,. In this section, we propose a solution to this problem based on a novel utilization of "dumb 
antennas." The concept of dumb antennas was introduced in [9] as a means to create artificial channel fluctuations 
in slow fading environments. These fluctuations are used to harness opportunistic performance gains in multi-user 
cellular networks. As indicated by the name, one of the attractive features of this approach is that the receiver(s) 
can be oblivious to the presence of multiple transmit antennas [9]. We use dumb transmit antennas to de-correlate 
the main and eavesdropper channels as follows. Alice is equipped with N transmit antennas, whereas both Bob 
and Eve will still have only one receive antenna. In order to simplify the presentation, we focus on the case of 
the symmetric fully correlated line of sight channels; whereby the magnitudes of the channel gains are all equal to 
one. The rest of our modeling assumption remains as detailed in Section II. The same data stream is transmitted 
from the N transmitted after applying an i.i.d uniform phase to each of the N signals. Also, Bob is assumed to 
perturb its location in each ARQ frame resulting in a random and independent phase shift (from that experienced 
by Eve). Our multiple transmit antenna scenario, therefore, reduces to a single antenna fading wiretap channel with 
the following equivalent channel gains 



where diB, diE, and difj are i.i.d. and uniform over [— 7r,7r] that remain fixed from one ARQ frame and change 
randomly from one frame to the next. One can now easily see that as increases, the marginal distribution of 
each equivalent channel gain approaches a zero-mean complex Gaussian with unit variance (by the Central Limit 
Theorem (CLT) [11]). It is worth noting that the correlation coefficient between the two channels' equivalent power 
gains depends on the instantaneous channels' phases Ois's and OiE's for i = 1, . . . , A^. It can be easily shown that, in 
the limit of ^ oo, this correlation coefficient between the two channels power gains converges in a mean-square 
sense to zero (please refer to Appendix B for the proof). Therefore, in the asymptotic limit of a large N, our dumb 



IV. Correlated Fading 




(18) 




(19) 
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antennas approach has successfully transformed our fully correlated line of sight channel into a symmetric and 
spatially independent Rayleigh wiretap channel; whose secrecy capacity (assuming Gaussian inputs) is reported in 
Theorem 1. The numerical results reported in the sequel demonstrate that this result is not limited to line of sight 
channels, and that this asymptotic behavior can be observed for a relatively small number of transmit antennas. 

B. Temporal Correlation 

Thus far, we have assumed that the channel gains affecting different frames are independent. This assumption 
renders optimal the stationary rate allocation strategy of Theorem 1. In this section, we relax this assumption 
by introducing temporal correlation between the channel gains experienced by successive frames. Assuming high 
temporal correlation and if a stationary rate strategy is employed and it is less than Eve's channel capacity, all 
the information transmitted will be leaked to Eve. On the other hand, if the rate is much less than Bob's channel 
capacity, additional gains in the secrecy capacity will not be harnessed. Hence, we are going to employ a rate 
adaptation strategy in which the optimal rate used in each frame is determined based on the past history of 
ACK/NACK feedbacks and the rates used in previous blocks. More specifically, following in the footsteps of [10], 
the optimal rate allocation policy can be formulated as follows (assuming a short term average power constraint P 
and a Gaussian input distribution). 



where Rt_i ~ [i?o, ■ • ■ 7 Rt-i] is the vector of previous transmission rates and Kf_i = [Kq, ■ ■ ■ , Kt-i] is the vector 
of previously received ACKs and NACKs. The basic idea is that, after frame {t — 1), the posteriori distribution of 
/lb is updated using Rt_i and Kt_i. The expected secrecy rate, in future transmissions, is then maximized based 
on this updated distribution. It is worth noting that the above expression assumes no spatial correlation between 
/le and hh. This assumption represents the worst case scenario since it prevents Alice from learning the channel 
gains impairing Eve through the ARQ feedback. Since the channel gain is not observed directly, but through an 
indicator in the form of ARQ feedback, the optimal rate assignment, when the channel is Markovian, is a Partially 
Observable Markov Decision Process (POMDP). The solution of this POMDP is computationally intractable except 
for trivial cases. This motivates the following greedy rate allocation policy 



Interestingly, the numerical results reported in the following section demonstrate the ability of this simple strategy 
to harness significant performance gains in first order Markov channels. Note that the performance of any rate 
allocation policy can be upperbounded by the ergodic capacity with transmitter CSI (and short term average power 
constraint P), i.e.. 




(20) 



where 



Vx{Rt < l0g2(l + h^tPWhARt - l0g2(l + heP)]+, 




(21) 
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Cer = E„^,„Jl0g2(l+/lbP)-l0g2(l + /ieP)] + , (22) 

which is achieved by the optimal rate allocation policy Rt = log2(l + hb tP). In fact, one can view the rate 
assignment policy of (20) as an attempt to approach the rate of (22) by using the ARQ feedback to obtain a better 
estimate of /i^ f after each fading block. 

V. Numerical Results 

Throughout this section, we focus on the symmetric scenario, where the average SNRs experienced by both Bob 
and Eve are the same, i.e., E (/i;,) = E (/ig) = 1. We further assume Rayleigh fading channels, for both Bob and 
Eve. Assuming spatially and temporally independent channels, the achievable secrecy rate in (9) becomes 

Cs = maxexp (-^^) • [r. ^^^^ [E: (1/P) - E, (2^7^^)] } (23) 

where E{ {x) — exp (— t) /tdt. 

Figure 3 gives the variation of Cg and Ce with SNR under different constraints on the decoding capabilities of 
Eve, captured by the genie-given side information. Re- It is clear from the figure that Ce can be greater than Cg for 
certain Rc and SNR values. For instance, in the case of Rc ~ 0, a packet received in error at Eve will be discarded 
without any further attempts at decoding. Therefore, the instantaneous secrecy rate becomes R^, which is larger 
than that used in (9) Cs{i) = Rq — log2(l + he{i)P) where Cs{i), he{i) are the instantaneous secrecy rate, and 
Eve's channel power gain, respectively. Averaging over all fading realizations, we get a greater Ce than Cg- It is 
worth noting that, under the assumptions of the symmetric scenario and the Rayleigh fading model, the scheme 
proposed in [4] is not able to achieve any positive secrecy rate (i.e., probability of secrecy outage is one). 

Next, we turn our attention to the delay-hmited coding constructions proposed in Section III-B. Figures 4 and 5 
show, for different Rq and R^, the tradeoff between the secrecy outage probability and key rate for the proposed 
rate (fc — l)/fc coset secrecy coding scheme assuming an optimal inner Gaussian channel coding. Figure 4 gives 
the key rate corresponding to a desired secrecy outage probability, given some values for Rq and Rc- Figure 5, on 
the other hand, quantifies the reduction in key rate, corresponding to a certain outage probability, as Rc increases. 
In Figure 6, we relax the optimal channel coding assumption and plot key rates for practical coding schemes and 
finite frame lengthes (i.e., finite ni). The code used in the simulation is a punctured convolutional code derived 
from a basic 1/2 code with a constraint length of 7 and generator polynomials 133 and 171 (in octal). We assume 
that Eve is genie-aided and can correct an additional 50 erroneous symbols (beyond the error correction capability 
of the channel code). From the figure, we see that the key rate increases with increasing SNR and then drops 
after reaching a peak value. Note that the transmission rate is fixed and independent of the SNR. Therefore, a low 
SNR means more transmissions to Bob and a consequent low key rate. As the SNR increases, while keeping the 
transmission rate fixed, the key rate increases. However, increasing the SNR also means an increased ability of Eve 
to correctly decode the codeword-carrying packets. This explains why the key rate curves peak and then decay with 
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SNR. In practice, one can always operate at the optimal value of the SNR by adjusting the transmit power level. 
We also observe that for a certain modulation and channel coding scheme, decreasing the packet size in bits lowers 
the key rate. Reducing the packet size increases the probability of correct decoding by Bob and, thus, decreases 
the number of transmissions. However, it also increases the probability of correct decoding by Eve and the overall 
effect is a decreased key rate. 

The role of dumb antennas in increasing the secrecy capacity of spatially correlated ARQ channels is investigated 
in the next set of figures. In our simulations, we assume that the channel gains are fully correlated, but the channel 
phases are independent. The independence assumption for the phases is justified as a small change in distance 
between Bob and Eve in the order of several electromagnetic wavelengths translates to a significant change in 
phase. Under these assumptions, it is easy to see that with one transmit antenna the secrecy capacity is zero. In 
Figure 7, it is shown that as the number of antennas N increases, the secret key rate approaches the upper bound 
given by (9) which assumes that the main and eavesdropper channels are independent. The same trend is observed 
in Figures 8, 9, and 10 which generate the channel gains using chi-square distribution with different degrees of 
freedom. Overall, this set of results validates the theoretical claim of Appendix B, indicating that dumb antennas 
can be used to de-correlate the main and eavesdropper channels, even for a relatively small number of transmit 
antennas. 

Figure 11 reports the performance of the greedy rate adaptation algorithm for temporally correlated channels. 
The channel is assumed to follow the first order Markov model: 

g{t) = (1 - a)g{t - 1) + y/2a-a^w{t) (24) 

where w{t) is the innovation process following CAf{Q, 1) distribution. As expected, it is shown that as a decreases, 
the key rate increases. For the extreme points when a ~ or a = 1, we get an upper bound, which is the ergodic 
secrecy under the main-channel transmit CSI assumption, and a lower bound, which is the ARQ secrecy capacity 
in case of independent block fading channel, respectively. 

VI. Conclusions 

This paper develops a novel overlay approach for sharing secret keys using existing ARQ protocols. The 
underlying idea is to distribute the key bits over multiple ARQ frames and then use the authenticated ACK/NACK 
feedback to create an equivalent degraded channel at the eavesdropper Our results estabhsh the achievability of 
non-zero secrecy rates even when the eavesdropper is experiencing a higher average SNR than the legitimate 
receiver and shed light on the structure of optimal ARQ secrecy protocols. It is worth noting that our approach 
does not assume any prior knowledge about the instantaneous CSI; only prior knowledge of the average SNRs 
seen by the eavesdropper and the legitimate receiver are needed. Inspired by our information theoretic analysis, 
we have constructed low complexity secrecy coding schemes by transforming our channel to an erasure wiretap 
channel which lends itself to explicit coset coding approaches. Our secrecy capacity characterization reveals the 
negative impact of spatial correlation and the positive impact of temporal correlation on the achievable key rates. 
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The former phenomenon is mitigated via a novel "dumb antennas" technique, whereas the latter is exploited 
via a greedy rate adaptation policy. Finally, our theoretical claims have been validated via numerical examples 
that demonstrate the efficiency of the proposed schemes. The most interesting part of our work is, perhaps, the 
demonstration of the possibility of sharing secret keys in wireless networks via rather simple modifications of the 
existing infrastructure which, in our case, corresponds to the ARQ mechanism. This observation motivated our 
follow-up work on developing secrecy protocols for Wi-Fi networks [13]. 

Appendix A 
Proof of Theorem 1 

In this appendix, we are going to prove both the achievability and converse of (8). 
A. Achievability Proof 

The proof is given for a fixed average power P < P and transmission rate Rq. The key rate is then obtained 
by the appropriate maximization. Let Rs — ci^' — 5 for some small 6 > and R — Rq — e. We first generate all 
binary sequences {V} of length mR and then independently assign each of them randomly to one of 2"^= groups, 
according to a uniform distribution. This ensures that any of the sequences are equally likely to be within any of 
the groups. Each secret message w G {1, • • • , 2"'''^} is then assigned a group V(iy). We then generate a Gaussian 
codebook consisting of 2"i(^o~'^) codewords, each of length ni symbols. The codebooks are then revealed to Alice, 
Bob, and Eve. To transmit the codeword, Alice first selects a random group v(i) of riii? bits, and then transmits 
the corresponding codeword, drawn from the chosen Gaussian codebook. If Alice receives an ACK bit from Bob, 
both are going to store this group of bits and selects another group of bits to send in the next coherence interval 
in the same manner If a NACK was received, this group of bits is discarded and another is generated in the same 
manner. This process is repeated till both Alice and Bob have shared the same key w corresponding to nRs bits. 
We observe that the channel coding theorem implies the existence of a Gaussian codebook where the fraction of 
successfully decoded frames is given by 

jji 

-=Pr(i?o<log2(l + /i6P)), (25) 
n 

as ni oo. The equivocation rate at the eavesdropper can then be lower bounded as follows. 

nR, = HiWlZ^'^K^GlGl) 
= H{W\Z''',Gl,Gl) 
= H{W,Z'''\Gl,Gl)- H{Z'^\Gl,Gl) 

= H{W, Z"\ X"'\Gl, Gl) - H{Z"'\Gl, G^) - H{X"'\W, Z'"\ Gl, G°) 
= H{X'''\Gl, Gl) + H{W, GjJ, G°) - H{Z"'\Gl,Gl) - H(X"'\W, Z"\ Gl, G^) 

> iJ(X™|G;j, Gl) + G'i, Gl) - HiZ'^'lGl, G^) - H{X"'\W, Z™, GjJ, G^) 

= i7(X™|G;j, Gl) - I{Z"';X"'\Gl, Gl) - Z"\Gl, Gl) 
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> 



H{X"'\Z"',G'i,G''^)-H{X"'\W,Z'",Gt,Gl) 

a 

^ H{X{j)\Z{j), GtU), GeU)) - H{X"W, Gl Gt) 
^ H{XU)\Z{j),G,U),Ge{j)) - H{X"^\W, Z", Gt, Gl) 



= [HiXij)\G,U),GAj)) - I{Xij);Z{j)\G,ij),G,{j))] - HiX"^\W, Z™, G^ Gt) 

> ^ m [Ro - log2 (1 + Kij)P) - e] - H{X"W, Z™, Gl G^) 



a 



> ^ 711 { [Ro - log2 (1 + h,{j)P)]+ -e}- H{X"^\W, Z"\ Gt, G^) 



id) 



nCi<^^ - H{X"'\W,Z"\Gt,G''^)-me. (26) 



In the above derivation, (a) results from the independent choice of the codeword symbols transmitted in each ARQ 
frame which does not allow Eve to benefit from the observations corresponding to the NACKed frames, (b) follows 
from the memoryless property of the channel and the independence of the X(j)'s, (c) is obtained by removing all 
those terms which correspond to the coherence intervals j ^ Afm, where Afm ~ {j G {1, • • • ,a} ■ hb{j) > he{j)\ijj = 1}, 
where ip is a binary random variable and ?/> = 1 indicates that an ACK was received, and (d) follows from the 
ergodicity of the channel as n, m — > oo. Now we show that the term H{X"^\W, Z™, G^, Gg) vanishes as ni ^ oo 
by using a list decoding argument. In this list decoding, at coherence interval j, the wiretapper first constructs a 
list Cj such that x(j) e Cj if (x(i), z(i)) are jointly typical. Let £ = £i x £2 x • • • x ^a- Given w, the wiretapper 
declares that x™ ~ (x™) was transmitted, if is the only codeword such that x™ G B{w)r\C, where B{w) is the 
set of codewords corresponding to the message w. If the wiretapper finds none or more than one such sequence, then 
it declares an error Hence, there are two types of error events: 1) £1: the transmitted codeword x™ is not in C, 2) £2'. 
3x"' 7^ X™ such that x™ e B{w) n C. Thus the error probability Pr(x'" 7^ x™) = Pi{£i U £2) < Pr(£i) + Pr(£2)- 
Based on the Asymptotic Equipartition Property (AEP) [12], we know that Pi{£i) < ei- In order to bound Pr(£2), 
we first bound the size of Cj. We let 

. 1, (xfi), zfi)) are jointly typical, 
M^UMj)) = <[ ' ' (27) 
0, otherwise. 



Now 



E{||£,||} = E<^5]^,(x(j)|z(j)) 

< 1+ lE{0,(x(j)|z(j))} 

x(j)#xt(j) 

< ^ 2"i[-'^o-i°g2(i+''=(i)-P)-e] 



August 1, 2009 



DRAFT 



SUBMITTED TO THE IEEE TRANSACTIONS ON INFORMATION THEORY 



(28) 



Hence 



E{\\C\\} = n {11^.11} = 2-^ (29) 

Pr(f2) < E i ^ Pr(x'" e 

(a) 

< E{\\C\\2-"^^^} 



„ i: ni([i?o-log2(l + 'ieO)P)-«] + + 7^) 



< 2- 

< 2 

= 2 V ^=1^ /, (30) 

where (a) follows from the uniform distribution of the codewords in B{w). Now as ni — > oo and a — s- cx3, we get 

Pr(f2) < 2-"(^^''-*-^='"+'^^) = 2-"("-^^ 

where c = Pr(/ib > he). Thus, by choosing e > {S/c), the error probability Pr(iS2) ^ as n ^ oo. Now using 
Fano's inequality, we get 

iJ(X™|VF,Z",G'^,G;!) < nSn ->0 asm,n^oo. 
Combining this with (26), we get the desired result. 

B. Converse Proof 

We now prove the converse part by showing that for any perfect secrecy rate Rg with equivocation rate > Rs~e 
as n,m ^ oo, there exists a transmission rate Rq, such that 

R. < E{[i?o-log2(l + /leP)]+I(i?0 <l0g2(l + /lbP))} 

Consider any sequence of (2"^= , m) codes with perfect secrecy rate Rg and equivocation rate i?e, such that 
Re > i?s — e as 71 ^ oo. We note that the equivocation H{W\Z",K^,Gl,Ge) only depends on the marginal 
distribution of Z", and thus does not depend on whether Z{i) is a physically or stochastically degraded version of 
Y{i) or vice versa. Hence we assume in the following derivation that for any fading state, either Z{i) is a physically 
degraded version of Y{i) or vice versa (since the noise processes are Gaussian). Thus we have 

nRe = H{W\Z\K'\GlGl) 

=^ H{W\Z'''\Gl,Gl) 

< H{W\Z-''\ Gt, Gl) - H{W\Z'^, r™, Gt, G^) + m,5,„ 

= I{W-Y'''\Z''\Gl,Gl) + m5n 
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< IiX"';Y"'\Z''',Gt,Gt) + m6m 

H{Y'^\Z"'^ Gl Gl) - Z™, Gl, Gl) + m5^ 

a 

YyH{Y{i)\Y'-\Z'^, Gl, Gl) - i7(y(i)|y'-\ X™, Z™, Gl, Gl) 



< G6(z), G,{i} - H{Y{i)\X{i), Z(^), G,(^), Ge(i))] + m5„ 

a 

J2 1{X{t);Y{{)\Z{t),Gb{t),Ge{i)) + mS^ 

i=l 
a 

I{X{iy,Y{i)\Gb{i), GS)) - I{X{i); Z{i)\Gb{i), G^)) + 

a 

< ^i?o-log2(l+/le(j)^)+W^m 

i=l 
a 

< ^[i?o-log2(l + /ie(j)P)]++m<5™ 



1=1 



(/) 

Re < 



;{[i?0-log2(l + /leP)]+I(i?0 <l0g2(l + /^6P))}+/3'5™ (31) 

where /3 = Pr(i?o < log2(l + hP)) 

In the above derivation, (a) results from the independent choice of the codeword symbols transmitted in each ARQ 
frame which does not allow Eve to benefit from the observations corresponding to the NACKed frames, (b) follows 
from Fano's inequality, (c) follows from the data processing inequality since W X™ forms a 

Markov chain, (d) follows from the fact that conditioning reduces entropy and from the memoryless property of 
the channel, (e) follows from the fact that I{X;Y\Z) = I{X;Y) - I{X;Z) as shown in [1], (f) follows from 
ergodicity of the channel as m,n —> oo. The claim is thus proved. 

Appendix B 
Proof of Decorrelation 

In this appendix, we show that employing multiple transmit antennas makes the correlation between Eve's and 
Bob's channel power gains converge to zero, in a mean-square sense, as the number of antennas N goes to oo. Let 

h = \gir and h = \9T? 
Assuming all to be uniformly distributed in the interval [— 7r,7r], we get, 



= N 



1 

'n 



N 



^cos {e,R + O.b] 

i=l 



N 



^sin(6'jij, + Ois] 

i=l 



N-1 N 

N + 2Y^ {cos {0M + 9^b) cos (ejR + Ojb) + sin {e,R + O^b) sin (OjR + O^b)} 



1 + — ^ Y + - OjR - 9jB) 



(32) 
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Similarly for I2, 

N~l N 

'2 = 1 + iV ^ ^ ^^''^ + ' ^'"^ ' ^'^^ ^^^^ 

Now, taking the expectation of (32) and (33) with respect to the random phases applied on the transmit antenna 
array dm for given values of Ois's and Ois's, we get. 



E(/i) = E(/2) = l (34) 
2 

iV2 



2 ^ 

IE(/i;2) = 1 + ^5] ^ cos [(0,i3-0,B)-(ejB -Sj-b)] (35) 



E«) = E(il)^,,l,^ = ,,^ (36) 
So, the variance of li and I2 is given by, 

var ih) = var (^2) = = af, = ^L_l (37) 
Therefore, the correlation coefficient p between the channels' power gains is given by 

E(;i;2)-E(/i)E(;2) 



^ y/var {li)y/Var {I2) 

N-l N 

= NiN - 1) E E [(^.B - g.i;) - {e,B e,E)] 

^ ' i=l j=i+l 

N~l N 

= Miv^ryE E -s[a.-a,] (38) 

^ ' i=l 

where 

A, = e,B - 0,E and Aj 6I^b - 6Ijb (39) 

Assuming OiB,0iE,(^jB,(^jE are all independent, and uniformly distributed in the interval [— 7r,7r], and taking the 
expectation of p over them, we get, 

E (p) = (40) 



The divergence of p around its mean is given by, 

var(p) - (7^ = " E var (cos (A, - A,)) 



N-l N 

4 



^ ' i=l j=i+l 

4 N{N- 1) 1 



N^{N~1)^' 2 '2 
1 



(41) 



N{N - 1) 

Thus, the standard deviation of p is given by: 

1 _ 1 

^N{N-1) N 

It is evident from (41) that var(p) goes to zero as ^ oo. That is, the correlation coefficient p converges, in a 
mean-square sense, to zero. 



(42) 
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ACK/NACK 




Fig. 1: System model involves a legitimate receiver. Bob, with a feedback channel to the sender, Alice. Eve is a 
passive eavesdropper. We assume block fading channels that are independent of each other. 



(Alice) ^ Noiseless f 




Fig. 2: Erasure-wiretap channel equivalent model. 
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Key Rate 

Fig. 4: Outage probability against key rate for Rc = 2, i?o = 4, 6, 7 and 8, and an average SNR of 30 dB. 




Key Rate 

Fig. 5: Outage probability against key rate for Rq ~ 10, Rc = 3, 4, 5 and 7, and an average SNR of 30 dB. 
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Fig. 6: The key rates required to obtain an outage of 10 against SNR for different packet sizes, = 240 and 
480 bits, and different modulation schemes: uncoded BPSK, coded BPSK, and coded QPSK. 
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Mean SNR dB 



Fig. 7; The key rates using TV = 2, 3, 4, 8 dumb antennas, assuming fully correlated exponential channel gains. 
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Mean SNR dB 



Fig. 8: The key rates using = 3 dumb antennas, assuming fully correlated Chi-Square channel gains with 

different degrees of freedom V = 2,4, 6, 8. 
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Fig. 9: The key rates using = 4 dumb antennas, assuming fully correlated Chi-Square channel gains with 

different degrees of freedom V = 2,4, 6, 8. 
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Fig. 10: The key rates using N = 8 dumb antennas, assuming fully correlated Chi-Square channel gains with 

different degrees of freedom V = 2,4, 6, 8. 
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Fig. 11: The achievable key rates using the greedy scheme under different temporal correlation coefficient a. 
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